What's new

Domain-based VPN Routing Script

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Haha, and I thought you only played with awk as an enthusiast. JK. I know you know your stuff. While I don't have any VPN's to play along the way, I am free to answer questions and consult as needed on this matter.
When I get some free time I'll throw AdGuardHome on my lab router and play around with it and see what I can do.
 
When I get some free time I'll throw AdGuardHome on my lab router and play around with it and see what I can do.
I decided to move AGH to another device on my home network. I ordered a mini PC for this, I’m waiting for it to be delivered. It will also be useful for other purposes.

I have another question.
How can I make the "querypolicy all" command automatically executed immediately after rebooting the router? Otherwise, sometimes too much time passes before its first execution. And until this happens, the domains included in the policies are unavailable.
 
I decided to move AGH to another device on my home network. I ordered a mini PC for this, I’m waiting for it to be delivered. It will also be useful for other purposes.

I have another question.
How can I make the "querypolicy all" command automatically executed immediately after rebooting the router? Otherwise, sometimes too much time passes before its first execution. And until this happens, the domains included in the policies are unavailable.
This should already happen once one of your VPN Clients comes online, it's in the start up scripts for WireGuard and OpenVPN.
 
This should already happen once one of your VPN Clients comes online, it's in the start up scripts for WireGuard and OpenVPN.
Yes, I see that the command “sh /jffs/scripts/domain_vpn_routing.sh querypolicy all” is contained in three scripts at once - “openvpn-event”, “wan-event” and “wgclient-start”. Judging by the log, immediately after the router starts, this command is executed, but there is no effect. At the same time, when I log into the web interface of the router, the WG client is running and connected to the server. According to my observations, it took from 5 to 13 minutes after rebooting the router before the sites from the policies became accessible. They become available immediately after messages appear in the log about the next execution of the "querypolicy all" command, or if i execute it manually in the "Domain-based VPN Routing" menu. Maybe add a delay for the execution of this command? Can you tell me how to do this?
In addition, I noticed that occasionally, after some reboots, two absolutely identical entries “/jffs/scripts/domain_vpn_routing.sh querypolicy all” appear in the crontab at once. When this happens, I delete one of them.
 

Attachments

  • 1.jpg
    1.jpg
    54.8 KB · Views: 80
Last edited:
Yes, I see that the command “sh /jffs/scripts/domain_vpn_routing.sh querypolicy all” is contained in three scripts at once - “openvpn-event”, “wan-event” and “wgclient-start”. Judging by the log, immediately after the router starts, this command is executed, but there is no effect. At the same time, when I log into the web interface of the router, the WG client is running and connected to the server. According to my observations, it took from 5 to 13 minutes after rebooting the router before the sites from the policies became accessible. They become available immediately after messages appear in the log about the next execution of the "querypolicy all" command, or if i execute it manually in the "Domain-based VPN Routing" menu. Maybe add a delay for the execution of this command? Can you tell me how to do this?
In addition, I noticed that occasionally, after some reboots, two absolutely identical entries “/jffs/scripts/domain_vpn_routing.sh querypolicy all” appear in the crontab at once. When this happens, I delete one of them.
Ehhh that gets a little muddy, I can see about adding a boot delay maybe.
 
Hi,

I am using your Dual Wan Failover in Load Balance mode and this seems to work really well with the latest update. I am though having issues with Domain VPN Routing, I have Nord VPN configured in ovpn1 and Domain VPN Routing works fine if I only have either one of the internet connections active. If both internet connections are active then the packets bypass the VPN and go out over the Default WAN link even though I can see the created Routes and Rules.

I was just wondering if there are any special settings I should enable that I may have missed.

For testing I have removed all the Dual WAN Routing Rules and only have one Policy created with one website within Domain VPN Routing to make things simple.

I have tested with Dual Wan configured in Failover mode and it works fine again.

Colin
 
Hi,

I am using your Dual Wan Failover in Load Balance mode and this seems to work really well with the latest update. I am though having issues with Domain VPN Routing, I have Nord VPN configured in ovpn1 and Domain VPN Routing works fine if I only have either one of the internet connections active. If both internet connections are active then the packets bypass the VPN and go out over the Default WAN link even though I can see the created Routes and Rules.

I was just wondering if there are any special settings I should enable that I may have missed.

For testing I have removed all the Dual WAN Routing Rules and only have one Policy created with one website within Domain VPN Routing to make things simple.

I have tested with Dual Wan configured in Failover mode and it works fine again.

Colin
I will have to do some testing and research to determine what is going on. Are you using OpenVPN or WG? In the mean time try removing the FWMark for your interface in Domain VPN Routing and see if that allows it to work.
 
I will have to do some testing and research to determine what is going on. Are you using OpenVPN or WG? In the mean time try removing the FWMark for your interface in Domain VPN Routing and see if that allows it to work.
Hi, I am using OpenVPN. I have removed the FWMark from the router by running these 2 commands

ip rule del fwmark 0x80000000/0xf000000 lookup wan0 priority 150
ip rule del fwmark 0x90000000/0xf000000 lookup wan1 priority 150

Now when I run tracert to a domain added to a Domain VPN Routing Policy the traffic does go out over the VPN rather than WAN0.

Prior to deleting the FMMarks I tried adding this rule so the FWMark for the Policy had a lower priority and this also worked.

Ip rule add fwmark 0x1000/0xf000 lookup wan1 priority 125
 
Hi, I am using OpenVPN. I have removed the FWMark from the router by running these 2 commands

ip rule del fwmark 0x80000000/0xf000000 lookup wan0 priority 150
ip rule del fwmark 0x90000000/0xf000000 lookup wan1 priority 150

Now when I run tracert to a domain added to a Domain VPN Routing Policy the traffic does go out over the VPN rather than WAN0.

Prior to deleting the FMMarks I tried adding this rule so the FWMark for the Policy had a lower priority and this also worked.

Ip rule add fwmark 0x1000/0xf000 lookup wan1 priority 125
For load balancing mode your router needs those first 2 to properly perform load balancing. You should try removing the FWMarks from the interface in Domain VPN Routing first.
 
For load balancing mode your router needs those first 2 to properly perform load balancing. You should try removing the FWMarks from the interface in Domain VPN Routing first.
I didn't think I needed to remove the rules but within Domain VPN Routing when I look at the config (option 5) the WAN0 FWMark and WAN1 FWMark aren't editable as they are under the "System Information:" section so I tried removing the IP Rule's.
 
I didn't think I needed to remove the rules but within Domain VPN Routing when I look at the config (option 5) the WAN0 FWMark and WAN1 FWMark aren't editable as they are under the "System Information:" section so I tried removing the IP Rule's.
The firmware and my Dual WAN Failover script will add them back as they are necessary which is why aren’t editable in domain vpn routing. Again, remove the FWMark for the VPN interface for now.
 
I decided to move AGH to another device on my home network. I ordered a mini PC for this, I’m waiting for it to be delivered. It will also be useful for other purposes.
That's exactly what I did. I installed Proxmox on a mini PC and created a virtual machine with an Ubuntu server, which now runs AGH and something else (I also plan to create another virtual machine for OpenMediaVault). Now nothing breaks the work of Domain-based VPN Routing Script with dnsmasq and I have not lost the AGH functionality.
 
Last edited:
can you add support for VPN tunnel detection without them running?
like I'd like to config my Policies without toggling the VPN tunnels on in order to select it as an option at Policy creation & editing..

also I have the "Redirect Internet traffic through tunnel" set to No is this right?
as I only want to route specific domains via the VPN & not everything.

however, with this current setup none of my domains connect & with VPN director on it just makes all traffic go through the tunnel when specific LAN devices are set to use the tunnel
otherwise, the domains just default back to WAN.

& all just makes my entire household go through the VPN, So i don't see how this script is supposed to do VPN domain selective routing when it just drops the connection with the "Redirect Internet traffic through tunnel" set to NO.

I'm not sure if any of these are causing issues with your script:

Code:
Skynet
scribe
connmon
scMerlin
spdMerlin
uiScribe
YazDHCP
vnStat
VPNMON-R2
RTRMON
BACKUPMON
VPN Routing

1.png

2.png

3.png


if you need logs or other config files I'll post them, as I'm not sure what I'm doing wrong at this point as all the domains I've listed are just getting dropped.
 
Last edited:
can you add support for VPN tunnel detection without them running?
like I'd like to config my Policies without toggling the VPN tunnels on in order to select it as an option at Policy creation & editing..

also I have the "Redirect Internet traffic through tunnel" set to No is this right?
as I only want to route specific domains via the VPN & not everything.

however, with this current setup none of my domains connect & with VPN director on it just makes all traffic go through the tunnel when specific LAN devices are set to use the tunnel
otherwise, the domains just default back to WAN.

& all just makes my entire household go through the VPN, So i don't see how this script is supposed to do VPN domain selective routing when it just drops the connection with the "Redirect Internet traffic through tunnel" set to NO.

I'm not sure if any of these are causing issues with your script:

Code:
Skynet
scribe
connmon
scMerlin
spdMerlin
uiScribe
YazDHCP
vnStat
VPNMON-R2
RTRMON
BACKUPMON
VPN Routing

View attachment 55084
View attachment 55085
View attachment 55086

if you need logs or other config files I'll post them, as I'm not sure what I'm doing wrong at this point as all the domains I've listed are just getting dropped.
Try setting the Redirect Internet traffic through tunnel setting to VPN Director (policy rules) and then reboot. As far as making changes to tunnel selection, I'll consider that and look into it.
 
Does wildcard subdomain names work with this script? From my very superficial test not seem to be working.
Negative, but if you have dnsmasq logging enabled it can grab subdomains from a root domain such as xyz.root.com if you have root.com added to your policy.
 
I found that for example youtube serves from many random subdomains from .googlevideo.com, is it possible to direct traffic to all these subdomains through a specified vpn tunnel?
 
I found that for example youtube serves from many random subdomains from .googlevideo.com, is it possible to direct traffic to all these subdomains through a specified vpn tunnel?
You can either add them manually to your policy as you discover the subdomains or you can enable dns logging and as they are queried they will be pulled from the DNS log and added.
 
How do you enable dns logging again? I am looking through the readme and it is not clear. I check global.conf file and didn't see anything and didn't see anything in the main menu. Maybe I miss it?
 
How do you enable dns logging again? I am looking through the readme and it is not clear. I check global.conf file and didn't see anything and didn't see anything in the main menu. Maybe I miss it?
Never mind found it. It's done manually.

log-queries
log-facility=/var/log/dnsmasq.log
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top